b'                                INSPECTOR GENERAL\n                               DEPARTMENT OF DEFENSE\n\n                                  400 ARMY NAVY DRIVE\n\n                             ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n\n                                                                            May 18, 2007\n\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE ACQUISITION,\n                 TECHNOLOGY, AND LOGISTICS\n               UNDER SECRETARY OF DEFENSE\n                (COMPTROLLER)/CHIEF FINANCIAL OFFICER\n               ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                 AND INFORMATION INTEGRATION)IDEPARTMENT\n                 OF DEFENSE CHIEF INFORMATION OFFICER\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\n\nSUBJECT:\t DFAS Corporate DatabaselDFAS Corporate Warehouse Compliance with\n          the Defense Business Transformation Certification Criteria\n          (Report No. D-2007-101)\n\nIntroduction. We are providing this report for your information and use. No written\nresponse to this report was required. Therefore, we are publishing this report in final\nform.\n\nBackground. The Deputy Under Secretary of Defense (Business Transformation)\nrequested that we review DoD Component compliance with the Defense Business\nTransformation System Certification Criteria. This report is one in a series and discusses\ncompliance of the Defense Finance and Accounting Service (DFAS) Corporate\nDatabaselDFAS Corporate Warehouse (DCDIDCW) with the Defense Business\nTransformation System Certification Criteria. Additional reports will discuss other\nbusiness systems compliance.\n\nThe "Ronald W. Reagan National Defense Authorization Act for Fiscal Year 2005"\n(NDAA) states that funds appropriated for Defense business system modernizations in\nexcess of $1 million may not be obligated unless certified by the Designated Approving\nAuthority and approved by the Defense Business Systems Management Committee. To\ncomply with the NDAA, the Defense Business Systems Management Committee issued\nthe "Investment Review Board Concept of Operations." The Investment Review Board\nConcept of Operations provides guidance on certifying Defense business system\n\x0cinvestments in excess of $1 million, which require review and approval by the Office of\nthe Secretary of Defense (OSD). Defense business system investments under $1 million\ndo not require an OSD-level review and approval, unless designated as a special interest\nprogram. \xe2\x88\x97 Instead, investments under $1 million are subject to a Component-level\nreview and approval process. Component-level investment review processes should be\nconsistent with the NDAA and the Investment Review Board Concept of Operations.\n\nThe Business Transformation Agency (BTA) currently owns DCD/DCW. However,\nduring the time of this audit, DFAS owned the system. DCD/DCW is a Tier 2 system\ndesignated as a special interest program. DCD/DCW serves as a centralized repository of\nconsolidated DoD financial information that facilitates the sharing of information among\nsystems, functions, and applications, and with internal and external customers.\n\nObjectives. The overall objective was to determine whether DCD/DCW was properly\ncertified and accredited in accordance with Defense Business Transformation\nCertification criteria. Specifically, we determined whether DCD/DCW complied with the\nInvestment Review Process.\n\nScope and Methodology. We performed the audit at DFAS Headquarters in Arlington,\nVirginia and at DFAS Indianapolis, Indiana. We reviewed the DFAS Investment Review\nProcess used to approve the obligation of funding for FY 2006 DCD/DCW\nmodernization efforts. We interviewed members of the Investment Review Working\nGroup (IRWG), as well as the DCD/DCW system manager. We also obtained and\nreviewed DFAS Investment Review Process procedures and documentation.\nSpecifically, we reviewed charters, designation letters, the FY 2006 DCD/DCW\nmodernization workbook, and other related documentation.\n\nWe reviewed and compared the procedures and documentation we found to the following\nlaws, policies, and DFAS guidance related to the Defense Investment Review Process.\nSpecifically, we reviewed the following:\n\n       \xe2\x80\xa2   Public Law 108-375, \xe2\x80\x9cRonald W. Reagan National Defense Authorization Act for\n           Fiscal Year 2005,\xe2\x80\x9d October 28, 2004;\n\n       \xe2\x80\xa2   Public Law 104-208, \xe2\x80\x9cFederal Financial Management Improvement Act ,\xe2\x80\x9d\n           September 30, 1996;\n\n       \xe2\x80\xa2   Public Law 104-106, \xe2\x80\x9cClinger Cohen Act,\xe2\x80\x9d February 10, 1996;\n\n       \xe2\x80\xa2   DoD Instruction 5200.4, \xe2\x80\x9cDoD Information Technology Security Certification\n           and Accreditation Process,\xe2\x80\x9d December 30, 1997;\n\n\n\n\xe2\x88\x97\n    \xe2\x80\x9cSpecial interest\xe2\x80\x9d is based on technological complexity, Congressional interest, or program criticality to\n    the achievement of a capability or set of capabilities. Special interest is also based on whether the\n    program is a joint program or whether the resources committed to the program are substantial.\n\n\n\n                                                        2\n\x0c   \xe2\x80\xa2   DoD Manual 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification and\n       Accreditation Process Application Manual,\xe2\x80\x9d July 31, 2000;\n\n   \xe2\x80\xa2   \xe2\x80\x9cInvestment Review Process Overview and Concept of Operations For\n       Investment Review Boards,\xe2\x80\x9d May 17, 2005;\n\n   \xe2\x80\xa2   \xe2\x80\x9cBusiness Systems Investment Review Proposal Submission Guideline,\xe2\x80\x9d July 17,\n       2005; and\n\n   \xe2\x80\xa2   \xe2\x80\x9cDoD Information Technology Registry Merger Into the DoD Information\n       Technology Portfolio Registry,\xe2\x80\x9d September 28, 2005.\n\nWe performed this audit from May 17, 2006 through June 16, 2006, in accordance with\ngenerally accepted government auditing standards. We postponed the audit due to other\npriorities and reannounced the audit on March 5, 2007. We did not review the\nmanagement control program as it related to the Investment Review Process because\nnone has been established for this process.\n\nResults. Our review of the Investment Review Process for DCD/DCW identified three\ndeficiencies. Specifically, DFAS did not have controls in place to ensure segregation of\nduties when posting the certification package to the DFAS e-Portal and the Investment\nReview Board (IRB) Portal. In addition, controls were not in place to monitor and track\nchanges made to the certification documentation after posting the package to the DFAS\ne-Portal and the IRB Portal. Finally, the DCD/DCW Program Office did not obtain the\nappropriate coordination signatures for the System Security Authorization Agreements\n(SSAAs) for DCD/webMethods\xc2\xa9 and DCW/Cognos\xc2\xae before the Designated Approving\nAuthority (DAA) certified the system.\n\nWe understand that DCD/DCW transitioned to BTA and is no longer the responsibility of\nDFAS. However, the DFAS certification submission process should include procedures\nthat maintain segregation of duties when posting certification information to the DFAS e-\nPortal and the IRB Portal; monitor and track changes made to certification\ndocumentation; and ensure that the SSAAs include all coordination signatures prior to\nDAA approval.\n\nSegregation of Duties. The DCD/DCW Program Office could not maintain segregation\nof duties when posting the completed certification package to the DFAS e-Portal, as\nrequired by the Investment Review Submission guidelines. Specifically, staff in the\nDFAS Chief Information Officer\'s (CIO) office posted the certification package\ninformation to both the DFAS e-Portal and the IRB Portal. This occurred because the\nDCD/DCW system manager did not have access to the e-Portal. DFAS implemented the\nDFAS e-Portal in June 2005, and the DFAS CIO granted DFAS e-Portal access to the\nDCD/DCW Business Line Portfolio Manager, who initially uploaded the certification\ninformation. After DFAS phased out Business Lines in March 2006, the DFAS CIO\ngranted system managers access to the DFAS e-Portal. However, the DFAS CIO had not\ntrained the system managers on the use of the DFAS e-Portal and the deadline for\nsubmitting certification information was August 2006. Therefore, to prevent further\n\n\n                                            3\n\x0cdelays in submitting the certification documents, the DFAS CIO staff stepped in to\nupload documents to the DFAS e-Portal until the DFAS CIO could properly train the\nsystem managers. To ensure that the integrity of the certification package is preserved,\nthe DCD/DCW Program Office should upload certification information to the DFAS e-\nPortal, and the DFAS CIO Office should upload certification information to the IRB\nPortal.\n\nInvestment Review Submission guidelines require that the Pre-Certification Authority\npost business system certification submission documents to the IRB Portal. Likewise, the\nDFAS CIO requires program managers to post system information to the DFAS e-Portal.\nDFAS system managers and the DFAS CIO should ensure proper segregation of duties\nby requiring the DCD/DCW system manager to post the certification submission package\nto the DFAS e-Portal and requiring the DFAS CIO to post the certification documents to\nthe IRB Portal. Although we identified this discrepancy during the audit, DFAS has\nsince resolved this issue by granting access to the DFAS e-Portal to all system managers\nin March 2006. The DFAS CIO staff no longer uploads certification documents to the\nDFAS e-Portal.\n\nChange Controls. Controls were not in place to monitor and track changes made to\ncertification documents posted to the DFAS e-Portal. Specifically, the DCD/DCW\nProgram Office did not maintain a record of changes made to DCD/DCW certification\ninformation after it posted the information to the DFAS e-Portal. In addition, controls did\nnot exist to ensure that certification information submitted by the system manager to the\nBusiness Line Portfolio Manager and the DFAS CIO staff matched the certification\ninformation in the DFAS e-Portal and the IRB Portal. This occurred because the\nDCD/DCW system manager did not have access to the DFAS e-Portal during the time of\nsubmission. The Business Line Portfolio Manager from the DFAS Acquisition\nManagement Office worked with the DCD/DCW system manager and functioned as a\ncoordinator for uploading the certification information to the DFAS e-Portal. Since only\nthe Business Line Portfolio Manager had access to the DFAS e-Portal, the DCD/DCW\nsystem manager could not verify that all requested changes reflect in the current version\nof the certification information in the DFAS e-Portal.\n\nAlthough the DFAS e-Portal maintains all versions of certification submissions,\ninformation may be unintentionally altered without the knowledge of a system manager.\nConsequently, management may not be able to rely on the certification information.\nAlthough we identified this discrepancy during the audit, DFAS has since resolved this\nissue by granting access to the DFAS e-Portal to all system managers in March 2006.\n\nCoordination Signatures for the SSAAs. DCD/DCW was not in full compliance with\nthe DoD Information Technology Security Certification and Accreditation Process\n(DITSCAP). Specifically, the DCD/DCW Program Office did not obtain the\ncoordination signatures on the SSAAs for DCD/webMethods\xc2\xa9 and DCW/Cognos\xc2\xae before\nthe DAA certified the system. This occurred because DCD/DCW Program Office staff\nreceived inaccurate information from the DAA office regarding the requirement for\n\n\n\n\n                                            4\n\x0csignatures. As a result of the lack of signature coordination, there was no way to\ndetermine whether the SSAA had been properly reviewed. This may compromise the\nconfidentiality, integrity, and availability of the system\'s data.\n\nThe DITSCAP describes the SSAA as a fonnal agreement among the DAA, certifier,\nuser representative, and program manager. The purpose of the SSAA is to be the basis of\nagreements throughout the system\'s life cycle. At each stage of development or\nmodification, more details are added to the SSAA. Any changes in the system that affect\nits security posture must be submitted to the DAA, certifier, program manager, and user\nrepresentative for approval and inclusion in a revised SSAA. In order for the SSAA to\nserve as a reliable, formal agreement, it must be signed by the certifier, user\nrepresentative, and program manager before it is certified by the DAA. The staffwas\ninformed that signatures would be required in the future, but were not necessary at that\ntime. However, while we were on site, the program office obtained the necessary\nsignatures and included them in the current SSAA.\n\nDiscussion of Results. We discussed the results of our work with the DCDIDCW\nProgram Office staff. They concurred with our conclusions, and DFAS took action to\ncorrect the segregation of duties and change control deficiencies. The program office\ncorrected the coordination of signatures issue during the audit. As a result, this\nmemorandum report contains no recommendations and requires no further action.\n\nWe appreciate the courtesies extended to the staff. Questions should be directed to\nPatricia A. Marsh at (703) 428-1422 (DSN 328-1422) or Donna A. Roberts at (703) 428\xc2\xad\n1070 (DSN 328-1070).\n\n\n\n\n                                 C~etto\'CPA\n\n                        Assistant Inspector General and Director\n\n                          Defense Financial Auditing Service\n\n\n\n\ncc:\n\nDeputy Under Secretary of Defense for Business Transformation\nDirector, Acquisition Resource and Analysis\n\n\n\n\n                                            5\n\n\x0c'